diff --git a/manifests/conf.pp b/manifests/conf.pp index 89b84a7..ab362f1 100644 --- a/manifests/conf.pp +++ b/manifests/conf.pp @@ -1,124 +1,124 @@ # Define: sudo::conf # # This module manages sudo configurations # # Parameters: # [*ensure*] # Ensure if present or absent. # Default: present # # [*priority*] # Prefix file name with $priority # Default: 10 # # [*content*] # Content of configuration snippet. # Default: undef # # [*source*] # Source of configuration snippet. # Default: undef # # [*sudo_config_dir*] # Where to place configuration snippets. # Only set this, if your platform is not supported or # you know, what you're doing. # Default: auto-set, platform specific # # Actions: # Installs sudo configuration snippets # # Requires: # Class sudo # # Sample Usage: # sudo::conf { 'admins': # source => 'puppet:///files/etc/sudoers.d/admins', # } # # [Remember: No empty lines between comments and class definition] define sudo::conf( $ensure = present, $priority = 10, $content = undef, $source = undef, $template = undef, $sudo_config_dir = undef, $sudo_file_name = undef, $sudo_syntax_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' ) { include ::sudo # Hack to allow the user to set the config_dir from the # sudo::config parameter, but default to $sudo::params::config_dir # if it is not provided. $sudo::params isn't included before # the parameters are loaded in. $sudo_config_dir_real = $sudo_config_dir ? { undef => $sudo::config_dir, $sudo_config_dir => $sudo_config_dir } # sudo skip file name that contain a "." $dname = regsubst($name, '\.', '-', 'G') if size("x${priority}") == 2 { $priority_real = "0${priority}" } else { $priority_real = $priority } # build current file name with path if $sudo_file_name != undef { $cur_file = "${sudo_config_dir_real}/${sudo_file_name}" } else { $cur_file = "${sudo_config_dir_real}/${priority_real}_${dname}" } # replace whitespace in file name $cur_file_real = regsubst($cur_file, '\s+', '_', 'G') Class['sudo'] -> Sudo::Conf[$name] if $::osfamily == 'RedHat' { if (versioncmp($::sudoversion, '1.7.2p1') < 0) { warning("Found sudo with version ${::sudoversion}, but at least version 1.7.2p1 is required!") } } if $content != undef { if $content =~ Array { $lines = join($content, "\n") $content_real = "# This file is managed by Puppet; changes may be overwritten\n${lines}\n" } else { $content_real = "# This file is managed by Puppet; changes may be overwritten\n${content}\n" } } elsif $template != undef { $content_real = template($template) } else { $content_real = undef } if $ensure == 'present' { $notify_real = Exec["sudo-syntax-check for file ${cur_file}"] } else { $notify_real = undef } file { "${priority_real}_${dname}": ensure => $ensure, path => $cur_file_real, owner => 'root', group => $sudo::params::config_file_group, - mode => '0440', + mode => $sudo::params::config_file_mode, source => $source, content => $content_real, notify => $notify_real, } exec {"sudo-syntax-check for file ${cur_file}": command => "visudo -c -f '${cur_file_real}' || ( rm -f '${cur_file_real}' && exit 1)", refreshonly => true, path => $sudo_syntax_path, } } diff --git a/manifests/init.pp b/manifests/init.pp index 9662558..c04bf88 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,174 +1,176 @@ # Class: sudo # # This module manages sudo # # Parameters: # [*ensure*] # Ensure if present or absent. # Default: present # # [*package*] # Name of the package. # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # [*package_ensure*] # Allows you to ensure a particular version of a package # Default: present / lastest for RHEL < 5.5 # # [*package_source*] # Where to find the package. Only set this on AIX (required) and # Solaris (required) or if your platform is not supported or you # know, what you're doing. # # The default for aix is the perzl sudo package. For solaris 10 we # use the official www.sudo.ws binary package. # # Default: AIX: perzl.org # Solaris: www.sudo.ws # # [*package_admin_file*] # Where to find a Solaris 10 package admin file for # an unattended installation. We do not supply a default file, so # this has to be staged separately # # Only set this on Solaris 10 (required) # Default: /var/sadm/install/admin/puppet # # [*purge*] # Whether or not to purge sudoers.d directory # Default: true # # [*purge_ignore*] # Files to exclude from purging in sudoers.d directory # Default: undef # # [*config_file*] # Main configuration file. # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # [*config_dir*] # Main directory containing sudo snippets, imported via # includedir stanza in sudoers file # Default: auto-set, platform specific # # [*extra_include_dirs*] # Array of additional directories containing sudo snippets # Default: undef # # [*content*] # Alternate content file location # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # [*ldap_enable*] # Enable ldap support on the package # Default: false # # Actions: # Installs sudo package and checks the state of sudoers file and # sudoers.d directory. # # Requires: # Nothing # # Sample Usage: # class { 'sudo': } # # [Remember: No empty lines between comments and class definition] class sudo( Boolean $enable = true, String $package = $sudo::params::package, Optional[String] $package_ldap = $sudo::params::package_ldap, String $package_ensure = $sudo::params::package_ensure, Optional[String] $package_source = $sudo::params::package_source, Optional[String] $package_admin_file = $sudo::params::package_admin_file, Boolean $purge = true, Optional[String] $purge_ignore = undef, String $config_file = $sudo::params::config_file, Boolean $config_file_replace = true, + String $config_file_mode = $sudo::params::config_file_mode, String $config_dir = $sudo::params::config_dir, + String $config_dir_mode = $sudo::params::config_dir_mode, Optional[Array[String]] $extra_include_dirs = undef, String $content = $sudo::params::content, Boolean $ldap_enable = false, ) inherits sudo::params { case $enable { true: { $dir_ensure = 'directory' $file_ensure = 'present' } false: { $dir_ensure = 'absent' $file_ensure = 'absent' } default: { fail('no $enable is set') } } case $ldap_enable { true: { if $package_ldap == undef { fail('on your os ldap support for sudo is not yet supported') } $package_real = $package_ldap } false: { $package_real = $package } default: { fail('no $ldap_enable is set') } } class { '::sudo::package': package => $package_real, package_ensure => $package_ensure, package_source => $package_source, package_admin_file => $package_admin_file, ldap_enable => $ldap_enable, } file { $config_file: ensure => $file_ensure, owner => 'root', group => $sudo::params::config_file_group, - mode => '0440', + mode => $config_file_mode, replace => $config_file_replace, content => template($content), require => Class['sudo::package'], } file { $config_dir: ensure => $dir_ensure, owner => 'root', group => $sudo::params::config_file_group, - mode => '0550', + mode => $config_dir_mode, recurse => $purge, purge => $purge, ignore => $purge_ignore, require => Class['sudo::package'], } # Load the Hiera based sudoer configuration (if enabled and present) # # NOTE: We must use 'include' here to avoid circular dependencies with # sudo::conf # # NOTE: There is no way to detect the existence of hiera. This automatic # functionality is therefore made exclusive to Puppet 3+ (hiera is embedded) # in order to preserve backwards compatibility. # # http://projects.puppetlabs.com/issues/12345 # if (versioncmp($::puppetversion, '3') != -1) { include '::sudo::configs' } anchor { 'sudo::begin': } -> Class['sudo::package'] -> anchor { 'sudo::end': } } diff --git a/manifests/params.pp b/manifests/params.pp index 3404389..2b519fd 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,210 +1,212 @@ #class sudo::params #Set the paramters for the sudo module class sudo::params { - $content_base = "${module_name}/" + $content_base = "${module_name}/" + $config_file_mode = '0440' + $config_dir_mode = '0550' case $::osfamily { 'Debian': { case $::operatingsystem { 'Ubuntu': { $content = "${content_base}sudoers.ubuntu.erb" } default: { if (versioncmp($::operatingsystemmajrelease, '7') >= 0) or ($::operatingsystemmajrelease =~ /\/sid/) or ($::operatingsystemmajrelease =~ /Kali/) { $content = "${content_base}sudoers.debian.erb" } else { $content = "${content_base}sudoers.olddebian.erb" } } } $package = 'sudo' $package_ldap = 'sudo-ldap' $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $config_file_group = 'root' } 'RedHat': { $package = 'sudo' # in redhat sudo package is already compiled for ldap support $package_ldap = $package # rhel 5.0 to 5.4 use sudo 1.6.9 which does not support # includedir, so we have to make sure sudo 1.7 (comes with rhel # 5.5) is installed. $package_ensure = $::operatingsystemrelease ? { /^5.[01234]/ => 'latest', default => 'present', } $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = $::operatingsystemrelease ? { /^5/ => "${content_base}sudoers.rhel5.erb", /^6/ => "${content_base}sudoers.rhel6.erb", /^7/ => "${content_base}sudoers.rhel7.erb", default => "${content_base}sudoers.rhel6.erb", } $config_file_group = 'root' } 'Suse': { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.suse.erb" $config_file_group = 'root' } 'Solaris': { case $::operatingsystem { 'OmniOS': { $package = 'sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.omnios.erb" $config_file_group = 'root' } 'SmartOS': { $package = 'sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/opt/local/etc/sudoers' $config_dir = '/opt/local/etc/sudoers.d' $content = "${content_base}sudoers.smartos.erb" $config_file_group = 'root' } default: { case $::kernelrelease { '5.11': { $package = 'pkg://solaris/security/sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.solaris.erb" $config_file_group = 'root' } '5.10': { $package = 'TCMsudo' $package_ldap = undef $package_ensure = 'present' $package_source = "http://www.sudo.ws/sudo/dist/packages/Solaris/10/TCMsudo-1.8.9p5-${::hardwareisa}.pkg.gz" $package_admin_file = '/var/sadm/install/admin/puppet' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.solaris.erb" $config_file_group = 'root' } default: { fail("Unsupported platform: ${::osfamily}/${::operatingsystem}/${::kernelrelease}") } } } } } 'FreeBSD': { $package = 'security/sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/usr/local/etc/sudoers' $config_dir = '/usr/local/etc/sudoers.d' $content = "${content_base}sudoers.freebsd.erb" $config_file_group = 'wheel' } 'OpenBSD': { if (versioncmp($::kernelversion, '5.8') < 0) { $package = undef } else { $package = 'sudo' } $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.openbsd.erb" $config_file_group = 'wheel' } 'AIX': { $package = 'sudo' $package_ldap = undef $package_ensure = 'present' $package_source = 'http://www.sudo.ws/sudo/dist/packages/AIX/5.3/sudo-1.8.9-6.aix53.lam.rpm' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.aix.erb" $config_file_group = 'system' } 'Darwin': { $package = undef $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.darwin.erb" $config_file_group = 'wheel' } default: { case $::operatingsystem { 'Gentoo': { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.gentoo.erb" $config_file_group = 'root' } 'Archlinux': { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.archlinux.erb" $config_file_group = 'root' } 'Amazon': { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = $::operatingsystemrelease ? { /^5/ => "${content_base}sudoers.rhel5.erb", /^6/ => "${content_base}sudoers.rhel6.erb", default => "${content_base}sudoers.rhel6.erb", } $config_file_group = 'root' } default: { fail("Unsupported platform: ${::osfamily}/${::operatingsystem}") } } $package_source = '' $package_admin_file = '' } } }